If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Network Scanning Policy - Template

While digging for some unrelated info, I came across this network scanning policy that I thought others could use as a template for their own. Anyway, hope this is helpful.

Title of Policy: Network Scanning of Computing Systems

Purpose of Policy: To prohibit the use of the University's computers, electronic communications, or other information technology resources to perform network-based scans on any computing system without the written permission of the system owner or system administrator.

Person(s) with Primary Responsibilities: Primary responsibility belongs to the Chief Information Officer. The Director of IT Security will coordinate technical investigations of network scanning incidents.

General Statement: It is the policy of YOUR NAME HERE that no computer system procured or managed by the ENTITY or connected to the UENTITY's network shall be used to perform network scans on any computer system, except under the following conditions:

A system may be scanned by the owner or the system administrator of that system.
A person may scan a system on behalf of another only after receiving written permission signed and dated by the owner or system administrator of that system. This document shall include a specific time period during which the scan(s) may be performed. Any additional scanning shall require separate written approval.
The ENTITY network and system staff may perform network scans in an effort to resolve a service problem, as a part of normal system operations and maintenance, or to enhance the security of the systems that they manage.
The ENTITY IT security staff and internal auditing staff may perform network scans to monitor compliance with ENTITY policy, to perform security assessments, or to investigate security incidents.

Definitions
Network Port: A numeric identifier used to distinguish between different network services (i.e., HTTP, Telnet, FTP) on the same computing system. Although port numbers range from 0 to 65536, many well known services have reserved port numbers between 0 and 1024 (i.e., HTTP uses port 80, Telnet uses port 23, and FTP uses ports 20 and 21.) To establish a session with a host, a network request must be sent to the appropriate port number on the host. That is, to establish an HTTP session with a web server, your workstation software will send a request to port 80 of the web server.
Network Port Scanning: The process of sending data packets over the network to selected service port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the purpose of identifying available network services on that system. This process is helpful for troubleshooting system problems or tightening system security. Network port scanning is an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Vulnerability Scanning: The process of identifying known vulnerabilities of computing systems on the network. This process goes a step beyond identifying the available network services of a system as performed by a network port scan. The vulnerability scan will identify specific weaknesses in the operating system or application software, which can be used to compromise or crash the system. Vulnerability scanning is intrusive and should be performed with care, as some scans can cause systems to crash or to behave erratically. The vulnerability scan is also an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Network Scanning: The use of a computer network for gathering information on computing systems, which may be used for system maintenance, security assessment and investigation, and for attack. This includes network port scanning and vulnerability scanning.
Threats to ENTITY's Information and Information Resources
Network scanning-if used properly--is a formidable tool for protecting our information and information resources. On the other hand, unauthorized network scans pose a serious threat to the availability, integrity, and confidentiality of our electronic information and our information resources.
Unauthorized network scans can result in:

Disclosure of Sensitive Data: Network scans yield a tremendous amount of information about our networked computing systems. This information is crucial to attackers in their efforts to compromise computer systems. If a critical system is compromised, an attacker may have unlimited access to confidential data.
Loss of Service: Network attacks vary greatly in nature. The goal of the attack may be to gain control of a computing system or to simply make the system unavailable to others. Even the process of vulnerability scanning can cause a system to crash or behave erratically.
Loss of Network and System Performance: Network scanning can involve hundreds or even thousands of computing systems. The sheer volume of network traffic requests can place an incredible strain on the resources of our computing systems and the ENTITY network, resulting in less than optimal performance for University users.
Loss of Reputation: As a member of the global Internet village our actions directly affect the safety of information and information resources around the world. By allowing the University's computing resources to be used to compromise systems belonging to our global neighbors, our reputation as a responsible member of Internet will be tarnished.
Violations
Violations of this policy will be addressed as violations of the "ENTITY Computer Use Policy" and the "ENTITY Employee Computer Use Policy."

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

I'm not sure I agree with that policy much. It seems to be based on one false assumption:
port scanning is bad,

which of course, it isn't.

The fact that it came from a university is even more surprising. My knowledge of networks and ports and tcp/ip communication has been greatly, GREATLY enhanced by port scanning. Programs like the Angry IP Scanner and NMAP have proven to be great learning tools.

"Network port scanning is an information gathering process..." is the one statement in the policy that I absolutely, 100% agree with. Does this mean that this University doesn't want its staff or students to engage in information gathering processes??

"...when performed by unknown individuals it is considered a prelude to attack." Possibly, or it could be the prelude to a patch of some vulnerability or other.

Additionally, I wonder if this policy was drawn up by a network administrator, or a faculty member who doesn't fully understand what port scanning is really all about?

Actually, I posted the policy more for the mechanics and what you may expect to see in one, not to debate the content. Although I do agree that it is good to comb over any policy that you are going implement, especially if you are going to cut -n- paste from a template.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

i knew that it wasn't a policy you made up, not criticizing you for the content at all, and at my university we have a network use policy too, i as just pointing out some of my objections to the content.

Port scannning is not necessarily a bad thing nor having a policy to insure your network is
secure using port scanning. But when you have an inside user "playing" it can reak havoc.
Port scanning is a useful tool for Admin purposes and I support it. Also, don't forget to test your policy before implementation. I have seen policy implemented before testing and it created a mess.